A rather tactless thing to say after hackers gain access to records of up to 4M customers.

The CEO of TalkTalk, Dido Harding, has opted for an unusual tack. In the wake of a massive cyberattack last week, in which the details of up to 4 million TalkTalk customers were leaked, Harding told the Sunday Times that her company was "not legally required" to encrypt customer data.

Here's Harding's quote in full (paywalled): "[Our data] wasn't encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information."

Harding's words might be tactless, but they don't appear to be incorrect. The UK's Data Protection Act doesn't stipulate that data must be encrypted; instead, it merely says that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

Following the attack on Wednesday, the Metropolitan Police cyber crime unit launched an investigation to try and ferret out the perpetrator. On Sunday, TalkTalk said that it had also hired the cyber intelligence division of defence contractor BAE Systems.

Over the weekend, TalkTalk confirmed that the hackers had only breached its website and not its core systems. TalkTalk still won't confirm how much data was accessed, or how many customers were affected, though it did say that its website only held incomplete credit card numbers with the middle digits removed. (Though why the website stored partial credit card numbers in unencrypted form is still quite a mystery indeed.)

Further Reading

While we're still at a loss as to who the attacker might've been, TalkTalk may have one lead: on Friday, the company said it received a ransom demand for £80,000 in bitcoins (about 430 BTC). According to Brian Krebs, who spoke to a source "close to the investigation," the person who sent the ransom also attached a copy of TalkTalk's user database—to prove that the ransom was actually legit, and not just a random person trying to cash in on TalkTalk's misfortune.

If you're a TalkTalk customer, the company has an FAQ with a few more details about the attack. The company is currently suggesting that all customers change their TalkTalk password, "and any other account that uses the same password." There's also 12 free months of credit monitoring alerts through Noddle, if you're worried about identity theft and the like. For those of you who are keeping count at home, this is TalkTalk's third breach this year.

Sebastian Anthony
Sebastian is the editor of Ars Technica UK. He usually writes about low-level hardware, software, and transport, but it is emerging science and the future of technology that really get him excited. Emailsebastian@arstechnica.co.uk//Twitter@mrseb